Next month, we all face a major regulatory change that will impact the way we manage and store candidate and employee data, due to the General Data Protection Regulation (GDPR).
As these new regulations have the potential to negatively impact the processes of attracting talent and manage hiring, we’re working hard to ensure we are keeping our clients ahead of these changes.
What is the GDPR?
The GDPR is EU-wide legislation that will replace the Data Protection Act 1998 in the UK. Intended to strengthen and unify data protection for all individuals within the European Union (EU), it also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Although many companies have already adopted privacy processes and procedures consistent with the directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it goes into effect.
While not yet required for the Americas, GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations.
What is the Purpose of the GDPR?
The purpose of the GDPR is to provide a standard set of data protection laws across all member countries so that EU citizens can clearly understand how their data is being used or raise any complaints.
What are the key privacy and data protection requirements of the GDPR?
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
What is a Data Controller, and What is a Data Processor?
- Data Controller - A controller determines the purposes and means of processing personal data.
- Data Processor - A processor is responsible for processing personal data on behalf of a controller.
Who is the Data Controller in the Harri-Customer relationship?
Job Seekers set up personal recruitment profiles within Harri, which the Job Seeker can use to apply for jobs with any and all of our Customers. This data is controlled by Harri until the Job Seeker deletes the recruitment profile.
This is important: because of GDPR, a restaurant doesn’t have explicit consent to hold on to an application (in fact, restaurants should discard them after 6 months). Most restaurants will either chuck an application immediately, or hold on to it for too long, thus putting themselves at risk.
Harri saves you this hassle. How? Because our members (job seekers) are the ones applying to jobs. Since they have opted to explicitly open an account and create a profile on Harri, their data remains with us until they opt out. This means that, as an employer, you can reach out to Harri candidates that applied years ago.
The data is shared with our Customers when a Job Seeker applies for a role with the Customer. The Customer then becomes a controller with regards to the recruitment profile and any other personal data of the Job Seeker.
As Harri and our Customers both make decisions on how the Personal Data of a Job Seeker is processed, both Harri and our Customer are deemed to be Joint Controllers.
What is Harri doing to ensure compliance?
Harri takes the protection of personal data very seriously, as it underpins everything we do. We continue to take advice from our legal partners, and we have enlisted the support of industry experts to ensure that we remain compliant.
Here is how we’ll support our customers:
- An updated Data Processing Agreement (DPA) to reflect GDPR requirements and ensure compliant data transfer with storage outside of the EU.
- New product capabilities to assist in compliance when users request that you delete or suppress data.
- Allowing you direct communication to our Data Protection Officer (DPO) simply by emailing firstname.lastname@example.org.
We look forward to assisting your company in their mission to protect the privacy rights of your employees.